Famed hacker and social engineer Kevin Mitnick, who was at one time one of the most wanted cyber criminals in the world, has died peacefully at the age of 59 from complications arising from pancreatic cancer, following a 14-month illness.
Mitnick’s death was announced by his family and senior staffers at KnowBe4, the security awareness and training company that he part owned and where he held the position of chief hacking officer.
He is survived by his wife, Kimberley, who is expecting the arrival of their first child later this year.
“Kevin was a dear friend to me and many of us here at KnowBe4. He is truly a luminary in the development of the cyber security industry, but mostly, Kevin was just a wonderful human being and he will be dearly missed,” said KnowBe4 CEO Stu Sjouwerman.
Described by those who knew him as the world’s most famous hacker, Mitnick was known for his intelligence, humour, technological skill, and his talent for social engineering was unsurpassed.
Growing up in suburban Los Angeles, Mitnick’s first brush with social engineering and the concept of hacking came at the age of 12, when he convinced an LA bus driver to tell him where he could obtain a mechanical ticket punching device, which he used to ride buses across the city for free after finding unused transfer slips that the bus company had left in a dumpster.
By the late 1970s, Mitnick had graduated to become a practitioner of the vanishing ‘art’ of phone phreaking, and from there to hacking computer systems. At the age of 16, he broke into the network of microcomputer pioneer Digital Equipment Corporation – which was ultimately to become part of Compaq and later HP – and copied its operating system software.
It was for this early cyber attack that Mitnick was eventually charged and convicted some years later in 1988. He served 12 months in prison followed by three years of supervised release. Towards the end of this period of supervised release, he hacked into the systems of the Pacific Bell phone company, which he said he did to conduct counter-surveillance of the phone company’s monitoring of him on behalf of US law enforcement.
It was for this action that a warrant was issued for Mitnick’s arrest, and he went on the run. Following a two-year manhunt during which he was alleged to have committed multiple hacking offences, he was arrested in February 1995 in South Carolina.
He was ultimately charged with multiple counts of both wire fraud and possession of unauthorised access devices, interception of wire or electronic communications, unauthorised access to a federal computer, and causing damage to a computer.
Mitnick always disputed the allegations that he was a malicious cyber criminal, and maintained he was the victim of misleading reporting in the mainstream media. Writing in The Register in 2003, Mitnick said that while he had been “a pain in the ass” to many, he had never destroyed, disclosed or otherwise used any data that he had accessed.
His supporters, who mounted the famous Free Kevin campaign on his behalf, continue to allege that many of the charges were trumped up and possibly fraudulent. Famously, at one point in his incarceration, a federal judge was successfully convinced that Mitnick had the ability to hack into US military systems and launch a nuclear missile simply by whistling, an entirely implausible scenario that nevertheless earned him eight months in solitary confinement.
Ultimately, however, Mitnick did plead guilty to a number of charges as part of a plea bargain, and received a 46-month jail term, plus 22 months for violating his earlier supervised release arrangement. Having already served over four years prior to his trial, he was released on 21 January 2000, and forbidden from using any form of technology other than a landline telephone.
Following his release, Mitnick founded his own security consultancy and became a successful consultant, public speaker and author, a regular presence on the cyber security event circuit, and a respected educator and commentator on cyber issues. He was the author of several books, the subject of others, and was portrayed by Skeet Urich (The Craft, Scream, As Good As It Gets) in the 2000 movie Takedown.
More recently, on teaming up with KnowBe4, he developed the Kevin Mitnick Security Awareness Training (KMSAT) security education package, which distilled his accumulated knowledge into one of the organisation’s most popular product lines.
A memorial service for Mitnick will take place in Las Vegas on 1 August 2023, at which he will be interred alongside his mother and grandmother. More information is to be shared in due course, including details of virtual attendance for friends and colleagues.